New Sykipot Trojan Variant May Compromise Smart-cards

A researcher from AlienVault Labs claims he discovered one sample of the Trojan virus Sykipot which helps in hijacking the Common Access Cards (CACs) of the U.S. Department of Defense (DOD), so published Redmondmag.com dated January 17, 2012.

Evidently, one feature of smart-card is that it interfaces with PCs with the help of one specific reader. Also, it relies on PIN codes and digital certificates to complete an authentication process. Meanwhile, when Sykipot is used it's normally applied within APT (advanced persistent threats) assaults. As per AlienVault's Jaime Blasco, the recently-examined Sykipot sample carries many commands for seizing details of smart cards that are then utilized for accessing protected inputs.

To start, the attack dispatches one spear-phishing e-mail having an attachment that contains a poisoned PDF file. This file, if viewed, exploits an Adobe flaw that has been recently patched, and loads the Sykipot malware on the affected PC. Subsequently, the malware utilizes one keystroke logging software for filching the PIN of the Access Card. Basically, alongside the login credentials of the smart-card, the Sykipot sample even sequentially arranges the certificates for 'public key infrastructure' (PKI) within the infected PC's own certificate-store, Blasco explains.

He further explains that the attackers' utilization of the smart-card happens, provided the card is already inside its reader case. Eweek.com published this on January 17, 2012.

Moreover Blasco says that while it isn't new to have Trojans attacking smart-cards, the current CACs being targeted with a Trojan is particularly significant as these cards are widely deployed at the DOD as well as other government organizations of USA, and for information of special kind that the attackers too appear as wanting for exfiltration. ITWorld Canada published this on January 18, 2012.

Notably, during December 2011, Sykipot was disseminated through an APT assault on computer hardware, manufacturing, telecommunication, defense, and chemical companies. It abused one zero-day security flaw within Adobe Reader which had ever since been fixed.

Interestingly, as per AlienVault's researchers, the same cyber-criminals launched both assaults, reports DarkReading. And Blasco adds that the criminals employed the same methods as well as even shared the code within more assaults. Redmondmag.com published this.